Re: create keys and certificates for postfix/tls
Hello, Please allow me clarify many fallacies in your mail. For one, labelling this as souped up python script is simply incorrect. One git clones this project which is not very different from other OSS projects. Once setup, the script allow for some autodetection (apache for instance) but you (as a BSD user) can use the standalone option to generate a ssl cert -- which does work very well on FreeBSD. letencrypt.sh is also now in ports on FreeBSD although I recommend the git cloned version. - Your point 3 is incorrect. The checks can be DNS or http (nginx) not just DNS. This is very similar to having a ssl cert these days (CNAME to comodo is one of the options to get a new ssl). Calling a special sauce is doing it a disservice as you fail to describe how it actually works. - You don't run the script ^everyday^. You can sign for 30-90 days and automate the resigning via cron. Pretty easy. The symlinked /etc/letsencrypt will allow you to keep the ssl cert locations for httpd, sendmail, imap in one easy to find location, - The latest git clone even launches it own http to do a quick check to generate/sign the ssl - Major sponsors include Cisco, mozilla, chrome, gandi.net, ovh among others. Its quite interesting to see such big names support something that would impact the ssl market Letsencrypt works well on FreeBSD stable. The latest git clone shows work to accommodate the *BSD. I haven't tried it on NetBSD yet. I hope this clarifies some of the misunderstanding about this project. Disclaimer: I am not part of the letsencrypt project -- L From: netbsd-users-ow...@netbsd.org <netbsd-users-ow...@netbsd.org> on behalf of Swift Griggs <swiftgri...@gmail.com> Sent: Tuesday, March 1, 2016 10:43 AM To: netbsd-users@netbsd.org Subject: Re: create keys and certificates for postfix/tls On Mon, 29 Feb 2016, Martin Husemann wrote: > I am currently using free certificates from StartSSL. Interesting that they even offer such a thing. I had to look them up. > I looked at letsencrypt, but I couldn't make any sense of it - can > somebody explain (from an admin point of view) how that is supposed to > work? It's a science project, for sure. I was playing with it recently under FreeBSD. My impression of how it's supposed to work is this: 1. You install a Python script using git. 2. You run the script and it tries to autoconfigure for your system. It's a script, so of course, that's mostly going to fail. The script tries to detect things like your cert locations in your Apache config. It does claim to be able to manage raw certs. 3. The script in conjunction with back-end tools on their site checks your domain's TXT records for an x509 special record with some special sauce to auth your CSR or whatever. > Of course I will NOT install arbitrary 3rd party server side software > (where my server OS isn't even officially supported) to handle > important things like certificate renewals when it is a very simple > task to do just once a year. Their intention is, I believe, for you to run this Python script every day until the end of time and it'll handle cert updates automagically. They don't issue certs for any longer than 90 days as far as I can tell. So, I'm guessing you'll be doing a lot of updating and it'd definitely need to work. They have a protocol for the crypto ops called ACME. So, I suppose the Python script is the first (and only?) implementation of that. > Given all the hype about it, I am sure I must be missing something. What > is it? My take is that it's a way to get a quick domain cert if you have control over your domain's DNS. I don't like the script-approach since it threw all kinds of warnings and errors, then failed to work under FreeBSD, I'm guessing it'll fail even worse for NetBSD. In short, Linux Foundation + overly ambitious python script = meh. -Swift
Re: create keys and certificates for postfix/tls
On Mon, 29 Feb 2016, Martin Husemann wrote: I am currently using free certificates from StartSSL. Interesting that they even offer such a thing. I had to look them up. I looked at letsencrypt, but I couldn't make any sense of it - can somebody explain (from an admin point of view) how that is supposed to work? It's a science project, for sure. I was playing with it recently under FreeBSD. My impression of how it's supposed to work is this: 1. You install a Python script using git. 2. You run the script and it tries to autoconfigure for your system. It's a script, so of course, that's mostly going to fail. The script tries to detect things like your cert locations in your Apache config. It does claim to be able to manage raw certs. 3. The script in conjunction with back-end tools on their site checks your domain's TXT records for an x509 special record with some special sauce to auth your CSR or whatever. Of course I will NOT install arbitrary 3rd party server side software (where my server OS isn't even officially supported) to handle important things like certificate renewals when it is a very simple task to do just once a year. Their intention is, I believe, for you to run this Python script every day until the end of time and it'll handle cert updates automagically. They don't issue certs for any longer than 90 days as far as I can tell. So, I'm guessing you'll be doing a lot of updating and it'd definitely need to work. They have a protocol for the crypto ops called ACME. So, I suppose the Python script is the first (and only?) implementation of that. Given all the hype about it, I am sure I must be missing something. What is it? My take is that it's a way to get a quick domain cert if you have control over your domain's DNS. I don't like the script-approach since it threw all kinds of warnings and errors, then failed to work under FreeBSD, I'm guessing it'll fail even worse for NetBSD. In short, Linux Foundation + overly ambitious python script = meh. -Swift
Re: create keys and certificates for postfix/tls
On Mon, 29 Feb 2016, the wise Lucius Rizzo wrote: You have a few options. All involve the use of openssl to generate key or csr See https://www.madboa.com/geek/openssl/ 1. Create a self signed cert and point Postfix to use ssl key and pem which was self generated 2. Use letsencrypt (HIGHLY recommended). IMHO, the introduction of letsencrypt will kill the basic ssl cert signed market. 3. Get a signed cert from namecheap. (You can alway buy a throwaway domain and add positivessl cert for a year for US $1.99 Thanks for the link. I was able to create a self signed cert. After that I got the famous "unable to get local certificates" warning in Alpine. Solved this by just copying all certs and symlinks from my FreeBSD machine to the NetBSD machine and now it the SSL stuff works. Thanks for the help! Regards, Marco -- Cohen's Law: There is no bottom to worse.
Re: create keys and certificates for postfix/tls
On Mon, Feb 29, 2016 at 12:05:47AM +, Lucius Rizzo wrote: > You have a few options. All involve the use of openssl to generate key or csr > > See https://www.madboa.com/geek/openssl/ > > 1. Create a self signed cert and point Postfix to use ssl key and pem which > was self generated > 2. Use letsencrypt (HIGHLY recommended). IMHO, the introduction of > letsencrypt will kill the basic ssl cert signed market. > 3. Get a signed cert from namecheap. (You can alway buy a throwaway domain > and add positivessl cert for a year for US $1.99 I am currently using free certificates from StartSSL. I looked at letsencrypt, but I couldn't make any sense of it - can somebody explain (from an admin point of view) how that is supposed to work? Of course I will NOT install arbitrary 3rd party server side software (where my server OS isn't even officially supported) to handle important things like certificate renewals when it is a very simple task to do just once a year. Given all the hype about it, I am sure I must be missing something. What is it? Martin
Re: create keys and certificates for postfix/tls
On 02/28/2016 07:05 PM, Lucius Rizzo wrote: > You have a few options. All involve the use of openssl to generate key or csr > > See https://www.madboa.com/geek/openssl/ > > 1. Create a self signed cert and point Postfix to use ssl key and pem which > was self generated > 2. Use letsencrypt (HIGHLY recommended). IMHO, the introduction of > letsencrypt will kill the basic ssl cert signed market. > 3. Get a signed cert from namecheap. (You can alway buy a throwaway domain > and add positivessl cert for a year for US $1.99 > I use certs from cacert.org - free for my postfix and dovecot certs. I'm eventually planning on switching to letsencrypt but cacert.org is one source of free certs. --- Marina Brown > > From: netbsd-users-ow...@netbsd.org <netbsd-users-ow...@netbsd.org> on behalf > of Marco Beishuizen <mb...@xs4all.nl> > Sent: Sunday, February 28, 2016 5:35 PM > To: netbsd-users@netbsd.org > Subject: create keys and certificates for postfix/tls > > Hi, > > I'm trying to make Postfix work with TLS enabled. Looks like I need some > certificates and keys. How do create them on NetBSD 7.0? > > Thanks in advance, > Marco > > -- > You've been leading a dog's life. Stay off the furniture. >
Re: create keys and certificates for postfix/tls
You have a few options. All involve the use of openssl to generate key or csr See https://www.madboa.com/geek/openssl/ 1. Create a self signed cert and point Postfix to use ssl key and pem which was self generated 2. Use letsencrypt (HIGHLY recommended). IMHO, the introduction of letsencrypt will kill the basic ssl cert signed market. 3. Get a signed cert from namecheap. (You can alway buy a throwaway domain and add positivessl cert for a year for US $1.99 From: netbsd-users-ow...@netbsd.org <netbsd-users-ow...@netbsd.org> on behalf of Marco Beishuizen <mb...@xs4all.nl> Sent: Sunday, February 28, 2016 5:35 PM To: netbsd-users@netbsd.org Subject: create keys and certificates for postfix/tls Hi, I'm trying to make Postfix work with TLS enabled. Looks like I need some certificates and keys. How do create them on NetBSD 7.0? Thanks in advance, Marco -- You've been leading a dog's life. Stay off the furniture.
create keys and certificates for postfix/tls
Hi, I'm trying to make Postfix work with TLS enabled. Looks like I need some certificates and keys. How do create them on NetBSD 7.0? Thanks in advance, Marco -- You've been leading a dog's life. Stay off the furniture.